Support

Careers

Microsoft-Yammer's Authentication Bypass Vulnerability

Posted Aug 27 2013

Stephen Coty

Yammer is used for private communication within organizations or between organizational members or groups, designed as an enterprise social software. Of the many critical vulnerabilities discovered, the OAuth is an emerging authorization standard adopted by a growing number of sites such as Twitter, Facebook, Google, Yahoo and Netflix and many others. The vulnerability allows remote attackers to bypass the token protection to compromise the web application’s account authorization system. Through various methods, user requests can be directed to a malicious server, where the user can receive misleading payloads and compromise that account. http://alrt.co/1dmWMjc

Takeaway: Disable Web crawlers from caching everything from your websites, especially the private communication chatter between internal applications. A patch is now available for this exploit; but without the use of an SSL certificate, the communication channel still remains unencrypted.